[ANSWERED] Help with a malware/virus written in VBScript?

ikkoup · January 2023

Hi hi,

Someone/group hacked a .gov.ly website in my country and started using it to spread malwares/virus by injecting images with VBScript.

I, using linux of course, downloaded the images and opened them in a text editor and they all have the same script [PASTE LINK HERE].

From my basic programming background, I figured it creates powershell files and writes something into them, probably encoded using strings to bytes converters or something. Then I tried the very long string which I guess it decodes into a hex/binary code that I didn't know how/where to go after...

Any help getting an IP or domain or something would greatly help.

I can send you the infected image URL privately if you want, but it's not much difference than what's in the paste above.

Thank you for your time.

ehab · January 2023

i am interested to learn this

may i ask how did you extract the script from the image?

skorupion · January 2023

This script appears to be a PowerShell script that performs a series of tasks. It performs several operations including creating directories, writing text files, loading assemblies, invoking methods from the loaded assemblies, and starting a VBS script.

It starts by killing several processes and then it creates a directory called "WindowsHost" in the "C:\ProgramData" directory.
It then creates a batch file called "wWsHYEaeTcWD.bat" in the "C:\Users\Public" directory, which contains a command to execute a PowerShell script called "xEyoIZuAfM.ps1" located in the "C:\Users\Public" directory.

The script then creates a VBS script called "HDWxJwBqipd.vbs" in the "C:\ProgramData\WindowsHost" directory, which runs the previously created batch file.

The script then modifies the registry so that the VBS script is run on startup.
It then defines a function called "jDgxXCyHGd" which takes an array of bytes as input and decompresses the bytes with gzip.

It then calls this function twice and assigns the return value to two different variables, $apvdKkIGX, and $sbtHDkzp, both of which are arrays of bytes.
It then loads an assembly into the current application domain from the byte array stored in the $apvdKkIGX variable.

It then uses the assembly that was loaded to check if two files, $ZdLWCaQrMJvvBKJrBRmvaT, and $BBzKuuGyDylBLOxQJQNkPDH, exist on the file system. If either file exists, it invokes the "Execute" method of a type named "order.yes" in the loaded assembly and passes it the path of the file and the byte array stored in the $sbtHDkzp variable as arguments.

Finally, it writes the content of the $KCyGfjyEJvGyBYOxwwYKS variable to a file called "xEyoIZuAfM.ps1" in the "C:\Users\Public" directory, and after a delay of 10 seconds, it uses the Start command to execute the "HDWxJwBqipd.vbs" script in the "C:\ProgramData\WindowsHost" directory.

It's difficult to know the exact purpose of this script without more context, but it appears that it's trying to perform various operations, including creating directories, writing text files, loading assemblies, invoking methods from the loaded assemblies, modifying the registry and starting a VBS script.
It also uses functions and several variables to perform these operations.
It's also worth noting that the script contains some obfuscation techniques, such as replacing certain characters in the string, concatenation of strings, and the use of non-printable characters.

This response was made by ChatGPT. I'll try and tinker some more with chatGPT to get you some more useful information.

Jab · January 2023

Have you tried simplest solution like https://www.virustotal.com/ or https://www.filescan.io/ that has sandbox thing enabled and shows all the connections + files created? :P

jmgcaguicla · January 2023

That whole thing is just the dropper for the actual embedded payload, that long byte strings you found are GZIP compressed .NET assemblies.

Here's the source via decompilation: https://paste.ee/p/x1zOj Disclaimer: DO NOT FUCKING RUN in case it wasn't obvious enough

Windows Defender says it's: Trojan:Script/Wacatac.H!ml

The domain in the source code is: 2_5_2_5_._l_i_b_y_a_2_0_2_0_._c_o_m_._l_y

Doesn't seem too fancy, just fires HTTP requests to the C&C and probably downloads more garbage.

EDIT: it's Njrat

https://twitter.com/h2jazi/status/1613586312979779589

ikkoup · January 2023

@ehab said:
i am interested to learn this

may i ask how did you extract the script from the image?

just downloaded the photo and opened it using a text editor. it wasn't hidden.

@skorupion said:
This response was made by ChatGPT. I'll try and tinker some more with chatGPT to get you some more useful information.

Wow, it's very well written and kinda scary how mostly accurate that AI has analyzed the code...

@Jab said:
Have you tried simplest solution like https://www.virustotal.com/ or https://www.filescan.io/ that has sandbox thing enabled and shows all the connections + files created? :P

Sadly it didn't give a deep report. only a threat was found by 3 anti-virus.

@jmgcaguicla said:
That whole thing is just the dropper for the actual embedded payload, that long byte strings you found are GZIP compressed .NET assemblies.

Here's the source via decompilation: https://paste.ee/p/x1zOj Disclaimer: DO NOT FUCKING RUN in case it wasn't obvious enough

Windows Defender says it's: Trojan:Script/Wacatac.H!ml

The domain in the source code is: 2_5_2_5_._l_i_b_y_a_2_0_2_0_._c_o_m_._l_y

Doesn't seem too fancy, just fires HTTP requests to the C&C and probably downloads more garbage.

EDIT: it's Njrat
https://twitter.com/h2jazi/status/1613586312979779589

THANK YOU SO MUCH!
Wow, that report on the twitter thread is kinda disheartening knowing that such attacks have been going since 2016 using government websites and servers...
You greatly helped us kinda getting a hold on these little POS!